Making Web Services Secure: WS-Security, Part 2
- 10 September, 2002 10:00
If you aren't using Web services yet, there's a good chance that you will in the near future, whether you intend to or not. More tools are appearing every day to make such services easy to develop and use, led by Microsoft's flagship Visual Studio.NET. Web services are one of a long line of Web technologies that has yet to prove itself in the real world, but there is plenty of momentum behind them already.
As someone concerned with security, you're right to look at Web services with a wary eye. As I discussed last week, Web services have the same basic security options as regular Web pages over HTTP, which is to say you can use the same tools to protect yourself. Web services have the same problems as Web sites, along with a few of their own.
To make the new paradigm secure, Microsoft, IBM, and VeriSign have introduced WS-Security and related specifications. WS-Security is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and encryption technologies.
WS-Security, which has yet to be submitted to any standards body, is short for Web Services Security and proposes a standard set of SOAP extensions that can be used when building secure Web services to implement integrity and confidentiality. Collectively, these extensions are called Web Services Security Language. WS-Security provides three main security mechanisms: security token propagation, message integrity, and message confidentiality. You can use these mechanisms independently, such as to pass a security token, or together, such as to sign and encrypt a message along with a security token hierarchy associated with the encryption keys.
The specification defines four "key driving requirements":
* Multiple security tokens for authentication or authorization.
* Multiple trust domains.
* Multiple encryption technologies.
* End-to-end message-level security and not just transport-level security.
The main part of the specification defines a new
WS-Security brings together a set of security technologies, some from network security and others related to XML, to provide protection against the risks of exposing confidential information or allowing a malicious hacker to essentially impersonate a legitimate caller. It is just one crucial technology that will ultimately make Web services a legitimate, secure means of building distribute applications on the Web.
Whether it and the myriad other technologies that make up Web servicesis enough to make it a compelling technology most certainly remains tobe seen.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
- HP Helps NEC Reduce Network Management Costs and Gain Efficiencies
- New Demands for Real-time Threat Management
- Moving to a Private Cloud? Infrastructure Really Matters!
- Hybrid IT Service Management: A Requirement for Virtualisation and Cloud Computing
- 2013 Global Information Security Survey: Initial findings
Australia lags Mongolia in Internet speeds
40 years ago, Ethernet's fathers were the startup kids
Windows 8 won't hit critical mass in enterprises, Forrester says
Dell replays Windows 8 blame card as PC sales slide
Optus launches 4G TD-LTE in Canberra